devalue affected by CPU and memory amplification from sparse arrays
Description
Published to the GitHub Advisory Database
Feb 19, 2026
Reviewed
Feb 19, 2026
Last updated
Feb 19, 2026
Under certain circumstances, serializing sparse arrays using
unevalorstringifycould cause CPU and/or memory exhaustion. When this occurs on the server, it results in a DoS. This is extremely difficult to take advantage of in practice, as an attacker would have to manage to create a sparse array on the server — which is impossible in every mainstream wire format — and then that sparse array would have to be run throughunevalorstringify.References